cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
billmoller
Level 10
Report Inappropriate Content
Message 121 of 332

Re: Windows Defender problem reported by MICROSOFT

Jump to solution

@meanoldmanning, your About looks almost identical to mine (versions of platform, TP, amcore, dats, etc) (I'm not running firewall or web control)

From your WMI powershell output, it looks like you also have duplicate ENS providers now... Good times...  However, on yours, the "newer" ENS provider registration (10/9) has the "older" productState (393232).  If WSC/WDA does any kind of querying of WMI, by date descending (to get the latest), this could be your issue (again, many assumptions on my part).

On mine, both duplicate entries have productState 397312.

If you're feeling brave, I'd run the VB script located here, Delete AntiVirusProduct WMI - Clear the anti-virus WMI class from an elevated command prompt (which I have personally run before), then reboot, then... wait (maybe 3 minutes?)... while Microsoft and McAfee re-register themselves (WSC seems to take a bit to get AV status), then re-run the get-wmiobject powershell command again.

 

 

Re: Windows Defender problem reported by MICROSOFT

Jump to solution

So, here's something fun and should not have to be the acceptable 'solution'. I had NOT enabled debug logging on the test laptops because, you know, that shouldn't be how this gets fixes. I decided to assign a policy to the clean install computer that enabled logging and after a reboot it reports correctly - for now. We'll see how long that last because the laptop I use daily also has debug logging enabled and does NOT report correctly (update install)

Michael
billmoller
Level 10
Report Inappropriate Content
Message 123 of 332

Re: Windows Defender problem reported by MICROSOFT

Jump to solution

@meanoldmanning, agreed.

When I had debugging on before the October update release, it changed the productState to 397312, so appeared to work (see my posts re: workaround), however, after a random daily update (perhaps AMCore) the productState returned to 343232 which reintroduced the issue.

I also noticed, during "clean install" testing, the Endpoint Product Removal Tool does not delete errant/old McAfee AV providers, which is when I ran that VBScript.

@chealey, is there a chart or link you could post that indicates how to decode productState?  i.e. what's 397312 vs. 343232?

Re: Windows Defender problem reported by MICROSOFT

Jump to solution

Did you remove the agent as well when you ran the removal tool? 

Michael
chealey
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 125 of 332

Re: Windows Defender problem reported by MICROSOFT

Jump to solution

I don't have a chart as such, but here are the states I know about:

ProductState=262144 = Up to Date Defs, On Access Scanning OFF

ProductState=266240 = Up to Date Defs, ON Access Scanning ON

ProductState=397328 = not Up to Date Defs, ON Access Scanning

ProductState=393216 = Up to Date Defs, On Access Scanning OFF

ProductState=397312 = Up to Date Defs, ON Access Scanning ON

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
billmoller
Level 10
Report Inappropriate Content
Message 126 of 332

Re: Windows Defender problem reported by MICROSOFT

Jump to solution

Found this in another thread @Nielsb :

Thank you for the idea! I really need this.

Some extra productstate numbers

401408 = onaccess scan disabled

262144

Antivirus Current -  (On-Access Scanner OFF)

262160

Antivirus Outdated -  (On Access Scanner OFF)

266240

Antivirus Current -  (On Access Scanner ON)

266256

Antivirus Outdated -  (On Access Scanner ON)

393216

Antivirus Current -   (On-Access Scanner OFF)

393232

Antivirus Outdated - (On Access Scanner OFF)

393488

Antivirus Outdated - (On Access Scanner OFF)

397312

Antivirus Current -  (On Access Scanner ON)

397328

Antivirus Outdated - (On Access Scanner ON)

397584

Antivirus Outdated - (On Access Scanner ON)

billmoller
Level 10
Report Inappropriate Content
Message 127 of 332

Re: Windows Defender problem reported by MICROSOFT

Jump to solution

@meanoldmanning, yes, removed ALL McAfee products with the tool...

SWISS
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 128 of 332

W10, 1903, German, ENS 10.6 OCTOBER installed, WMI Report as wished

Jump to solution
W10, 1903 PRO VL, German, All Updates until (except) 10/2019 from WSUS
get-wmiobject -namespace "root\securitycenter2" -class "antivirusproduct"

__GENUS                  : 2
__CLASS                  : AntiVirusProduct
__SUPERCLASS             :
__DYNASTY                : AntiVirusProduct
__RELPATH                : AntiVirusProduct.instanceGuid="{1006DC03-1FB1-9E52-7C81-F2FAB48962E3}"
__PROPERTY_COUNT         : 6
__DERIVATION             : {}
__SERVER                 : W10INDIA1201
__NAMESPACE              : ROOT\securitycenter2
__PATH                   : \\W10INDIA1201ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{1006DC03-1FB1-9E52-7C81-F2F
                           AB48962E3}"
displayName              : McAfee Endpoint Security
instanceGuid             : {1006DC03-1FB1-9E52-7C81-F2FAB48962E3}
pathToSignedProductExe   : C:\Program Files (x86)\McAfee\Endpoint Security\Threat Prevention\AMCFG.EXE
pathToSignedReportingExe : C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe
productState             : 397312
timestamp                : Wed, 09 Oct 2019 08:06:05 GMT
PSComputerName           : W10INDIA1201
__GENUS                  : 2
__CLASS                  : AntiVirusProduct
__SUPERCLASS             :
__DYNASTY                : AntiVirusProduct
__RELPATH                : AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
__PROPERTY_COUNT         : 6
__DERIVATION             : {}
__SERVER                 : W10INDIA1201
__NAMESPACE              : ROOT\securitycenter2
__PATH                   : \\W10INDIA1201\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA1
                           32C1ACF46}"
displayName              : Windows Defender
instanceGuid             : {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
pathToSignedProductExe   : windowsdefender://
pathToSignedReportingExe : %ProgramFiles%\Windows Defender\MsMpeng.exe
productState             : 393472
timestamp                : Thu, 19 Sep 2019 16:17:47 GMT
PSComputerName           : W10INDIA1201
__GENUS                  : 2
__CLASS                  : AntiVirusProduct
__SUPERCLASS             :
__DYNASTY                : AntiVirusProduct
__RELPATH                : AntiVirusProduct.instanceGuid="{9D4501E6-72F6-2877-C789-89AF6F535B2C}"
__PROPERTY_COUNT         : 6
__DERIVATION             : {}
__SERVER                 : W10INDIA1201
__NAMESPACE              : ROOT\securitycenter2
__PATH                   : \\W10INDIA1201\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{9D4501E6-72F6-2877-C789-89A
                           F6F535B2C}"
displayName              : McAfee Endpoint Security
instanceGuid             : {9D4501E6-72F6-2877-C789-89AF6F535B2C}
pathToSignedProductExe   : C:\Program Files (x86)\McAfee\Endpoint Security\Threat Prevention\AMCFG.EXE
pathToSignedReportingExe : C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe
productState             : 397312
timestamp                : Wed, 14 Aug 2019 09:12:05 GMT

Re: Windows Defender problem reported by MICROSOFT

Jump to solution

So three things I've noticed now:

Clean install and debug logging enabled - success

Running that script and then doing a clean install (though not enabling debugging) - success

Update install, debug logging enabled or not - no success

Michael
billmoller
Level 10
Report Inappropriate Content
Message 130 of 332

Re: W10, 1903, German, ENS 10.6 OCTOBER installed, WMI Report as wished

Jump to solution

@SWISS, is yours working now?  Your output looks like mine with duplicate ENS entries, but both have productState 397312 (like mine).

Also, I noticed that after the initial reboot, ENS creates the duplicate WMI entry (checked on another machine after installing the October update, but before reboot and I had only two providers, WDA and ENS.  After reboot, a new ENS provider is added.)

@meanoldmanning:

First, I've updated my previous posts re: 343232... it was 393232... (disregard 343232).

Based on the list of productStates, 393232 indicates AV out of date, and on-access scan off.

I keep having a sneaking suspicion that this is still related to the ENS providers listed in WMI, and WSC potentially receiving a duplicate/errant ENS result (with incorrect productState) from WMI, and basing its decision (to keep WDA on and indicate ENS is OFF) on that...

I really think you should try to clear your providers, but then again, I'm hoping that doesn't fix the issue because there's no way I'm going to run around to all my client computers and manually clear providers...

Back to what I said almost forever ago, ENS really shouldn't be making any duplicate entries in the AV providers DB...

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community